Home / Frameworks / PCI DSS / 10 — Log and Monitor All Access to System Components and Cardholder Data
10 — Log and Monitor All Access to System Components and Cardholder Data
18 requirements in the Log and Monitor All Access to System Components and Cardholder Data requirement
10.1.1All security policies and operational procedures that are identified in Requirement 10 are: Documented.
10.1.2Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood.
10.2.1Audit logs are enabled and active for all system components and cardholder data.
10.2.2Audit logs record the following details for each auditable event: User identification.
10.3.1Read access to audit logs files is limited to those with a job-related need.
10.3.2Audit log files are protected to prevent modifications by individuals.
10.3.3Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.
10.3.4File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.
10.4.1The following audit logs are reviewed at least once daily: All security events.
10.4.2Logs of all other system components (those not specified in Requirement 10.
10.4.3Exceptions and anomalies identified during the review process are addressed.
10.5.1Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.
10.6.1System clocks and time are synchronized using time-synchronization technology.
10.6.2Systems are configured to the correct and consistent time as follows: One or more designated time servers are in use.
10.6.3Time synchronization settings and data are protected as follows: Access to time data is restricted to only personnel with a business need.
10.7.1Additional requirement for service providers only: Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: Network security controls IDS/IPS FIM Anti-malware solutions Physical access controls Logical access controls Audit logging mechanisms Segmentation controls (if used) Applicability Notes This requirement applies only when the entity being assessed is a service provider.
10.7.2Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: Network security controls.
10.7.3Failures of any critical security control systems are responded to promptly, including but not limited to: Restoring security functions.